British airline EasyJet says that it has been the victim of a cyberattack that exposed the email addresses and travel details of around 9 million of its customers, Bloomberg News reports. In a statement, the company said that, of these customers, 2,208 had their credit card details accessed by what the company describes as a “highly sophisticated” attack.
EasyJet said that it has already closed off the unauthorized access that allowed the data breach, and it has contacted customers who had their credit card details exposed. Although EasyJet says that “there is no evidence that any personal information of any nature has been misused,” it added that it will be contacting all 9 million customers who have been affected by the breach by May 26th. No passport details were exposed in the hack, The Guardian reports.
Outside of the customers who have had their credit card details exposed, the risk for most of the 9 million customers affected will be phishing attempts. Criminals will know if an individual has been an EasyJet customer, and could imitate the company’s emails as part of a scam. The company said it is advising customers to be cautious about any unsolicited emails claiming to be from EasyJet or EasyJet Holidays.
“We would like to apologise to those customers who have been affected by this incident,” EasyJet CEO Johan Lundgren said in a statement. “We are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
When contacted for comment, a spokesperson for the UK’s data protection regulator, the Information Commissioner’s Office, confirmed that the agency is currently investigating the cyber attack and echoed EasyJet’s warning to watch out for suspected phishing scams. “Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks, and scam messages. We have published advice on our website about how to spot potential phishing emails,” the spokesperson said.
Update May 19th, 9:43AM ET: Updated with statement from Information Commissioner’s Office.